CVE-2018-6341

MEDIUM

Facebook React < 16.0.1 - XSS

Title source: rule

Description

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Exploits (1)

nomisec WORKING POC

by diwangs · poc

https://github.com/diwangs/react16-ssr

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html

[Vendor Advisory] https://twitter.com/reactjs/status/1024745321987887104

Scores

CVSS v3 6.1

EPSS 0.1057

EPSS Percentile 93.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

facebook/react 16.0.0 - 16.0.1

npm/react-dom 16.0.0 - 16.0.1npm

Published Dec 31, 2018

Tracked Since Feb 18, 2026